[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5690) cn=config cannot be rootdn

Full_Name: Quanah Gibson-Mount
Version: RE24
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

In OpenLDAP 2.3, it was possible to set the rootdn of the main database to be
cn=config.  This no longer works in OpenLDAP 2.4, but seems like it should be
valid to me.

Example config:

include         /opt/zimbra/openldap-2.4.12/etc/openldap/schema/core.schema
include         "/opt/zimbra/openldap-2.4.12/etc/openldap/schema/cosine.schema"
include         "/opt/zimbra/openldap-2.4.12/etc/openldap/schema/inetorgperson.schema"
pidfile         /opt/zimbra/openldap-2.4.12/var/run/slapd.pid
argsfile        /opt/zimbra/openldap-2.4.12/var/run/slapd.args
modulepath      /opt/zimbra/openldap-2.4.12/libexec/openldap
moduleload      back_hdb.la
moduleload      back_monitor.la
moduleload      syncprov.la
moduleload      accesslog.la
database        config
rootpw secret
database        monitor
rootdn          "cn=config"
access to dn.children="cn=monitor"
        by * read
database        hdb
suffix          cn=accesslog
directory       /opt/zimbra/data/openldap/accesslog/db
rootdn          cn=accesslog
index           default     eq
index           entryCSN
index           objectClass
index           reqEnd
index           reqResult
index           reqStart
access to dn.subtree="cn=accesslog"
        by dn.exact="cn=config" read
        by dn.exact="uid=zmreplica,cn=admins,cn=zimbra" read

# Checkpoint the database to prevent transaction loss in unclean shutdowns, and
speed up slapd shutdowns.
checkpoint 64 5

cachesize 10000
timelimit unlimited
sizelimit unlimited

overlay syncprov
syncprov-nopresent  TRUE
syncprov-reloadhint TRUE
database        hdb
suffix          ""
rootdn          "cn=config"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /opt/zimbra/data/openldap/db
# Indices to maintain
index   objectClass     eq
index   cn                     pres,eq,sub
index   displayName            pres,eq,sub
index   sn                     pres,eq,sub
index   gn                     pres,eq,sub
# recommended for replication
index   entryUUID              eq
index   entryCSN               eq
sizelimit unlimited
timelimit unlimited
overlay syncprov
syncprov-checkpoint 20 10
syncprov-sessionlog 500
overlay         accesslog
logdb           cn=accesslog
logops          writes
logsuccess      TRUE
logpurge        07+00:00        01+00:00

Slaptest fails with:

line 74 (suffix         "")
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
line 75 (rootdn         "cn=config")
>>> dnPrettyNormal: <cn=config>
<<< dnPrettyNormal: <cn=config>, <cn=config>
line 79 (rootpw ***)
/opt/zimbra/openldap-2.4.12/etc/openldap/slapd.conf: line 79: <rootpw> can only
be set when rootdn is under suffix
slaptest: bad configuration file!

cn=config is *clearly* under "", and changing it to "cn=config,dc=junk" works. 
So it's specific to the term "cn=config".  Changing it to "cn=joe" works just
fine.  It also doesn't seem to care that I use "cn=config" with back-monitor...